Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Network-reachable, no authentication per PR:N, no complexity barriers; impact capped at limited integrity and availability with no confidentiality loss per description; unchanged scope.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Unauthenticated Broken Access Control in Business Directory <= 6.4.23 versions.
AnalysisAI
Broken Access Control in the Business Directory WordPress plugin (versions 6.4.23 and below) permits unauthenticated remote attackers to perform unauthorized operations against directory data, yielding limited integrity and availability impacts. The CVSS vector AV:N/AC:L/PR:N/UI:N confirms exploitation requires no authentication, no special configuration, and no user interaction, making the attack trivially accessible to any network-reachable actor. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation against default installations of the Business Directory WordPress plugin version 6.4.23 and below. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 6.6 with vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L presents a mixed picture. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with no account on the target WordPress site sends a crafted HTTP POST or GET request directly to an unprotected endpoint exposed by the Business Directory plugin - such as an admin-ajax.php action or a REST route - that lacks authorization checks. The server processes the request as though it were authorized, allowing the attacker to create, modify, or delete directory listings, or trigger actions that degrade availability of the directory feature. … |
| Remediation | Update the Business Directory plugin to a version beyond 6.4.23 by visiting the WordPress admin dashboard under Plugins > Updates or by referencing the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/business-directory-plugin/vulnerability/wordpress-business-directory-plugin-6-4-23-broken-access-control-vulnerability for the confirmed patched release version, which was not explicitly stated in the available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Business Directory
View allThe Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
The Business Directory Plugin plugin for WordPress is vulnerable to CSV Injection in versions up to, and including, 6.4.
Cross-site scripting in the Business Directory WordPress plugin (versions 6.4.22 and earlier) allows authenticated subsc
Unauthenticated cross-site scripting in the Business Directory WordPress plugin (versions <= 6.4.22) allows remote attac
Cross-Site Request Forgery (CSRF) vulnerability in Business Directory Team Business Directory Plugin - Easy Listing Dire
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40110
GHSA-m542-2fpm-5vj8